How to setup Nginx TLS certificate based Authentication (VPN alternative)

Hello this will be quick and dirty guide for setting nginx with TLS based authentication. It an idea I researched after seeing @scottalanmiller video comparing this with VPN, I will not include many setting like selinux or firewalld or nginx config in separate files instead of the main config, however feel free to enhance this. I am happy that I got it working thus writing it (This guide uses Centos 7 minimal as a base).

What we did above, is installed nginx + prepared directory that is already mentioned in nginx main config and created 2 self signed certificates for https.
Dont get this confused with self signed certificates for clients, this is another step we will do right now, stay in /etc/pki/nginx:

The first 2 files creates the CA (Certifcate Authority), while the rest 5 commands deals with creation of client cert, and feel free to rename client to the name of user,
also the last 2 lines exports the client cert to p12 and pem format. I didnt need the pem format FYI.

Now I needed to manually add the ca.crt file to "/etc/pki/tls/certs/ca-bundle.crt" (this took days of research)...
So copy the contents of "/etc/pki/nginx/ca.crt" and paste it at the end of "/etc/pki/tls/certs/ca-bundle.crt" or use this command:

cat /etc/pki/nginx/ca.crt >> /etc/pki/tls/certs/ca-bundle.crt

Finally restart nginx

systemctl restart nginx

and copy the p12 file you created in "/etc/pki/nginx/client.p12" to your client machines be it a Windows or Linux or Mac OS X as long as it has good web browser.
And install it into the webbrowser, I choose the Personal Store and make sure when you click advanced all the ticks are checked for it is usage.

Now open the IP of your https machines, if you didnt import the P12 file you will see "400 Bad Request No required SSL certificate was sent"

However if you did you will be able to select the cert and cotinue to login:

This works wonders paired with proxy, which @JaredBusch wrote article about:

On one final note, as with all exercises, it’s important to be practical and know that things change. Inevitably there will come a time when someone leaves your team and their certificate needs to be invalidated. Running the following script with the correct username will add the user’s certificate to the revocation list and ensure that they can no longer access the site:

@Emad-R Am I understanding this correctly? Is this to prevent access to a site to anyone who doesn't have the cert installed in their browser? If so, do you think this can be restricted in scope to only a single page or set of pages? For example, a public site with some admin functions via a login page, could this be used to continue to allow public access to the public pages but used to restrict access to the login and admin pages to only those with the cert? I suppose I've have to use Nginx and this config only for those restricted pages and a different config for the public space (if that's even possible).

@Emad-R Am I understanding this correctly? Is this to prevent access to a site to anyone who doesn't have the cert installed in their browser? If so, do you think this can be restricted in scope to only a single page or set of pages? For example, a public site with some admin functions via a login page, could this be used to continue to allow public access to the public pages but used to restrict access to the login and admin pages to only those with the cert? I suppose I've have to use Nginx and this config only for those restricted pages and a different config for the public space (if that's even possible).

@Emad-R Am I understanding this correctly? Is this to prevent access to a site to anyone who doesn't have the cert installed in their browser? If so, do you think this can be restricted in scope to only a single page or set of pages? For example, a public site with some admin functions via a login page, could this be used to continue to allow public access to the public pages but used to restrict access to the login and admin pages to only those with the cert? I suppose I've have to use Nginx and this config only for those restricted pages and a different config for the public space (if that's even possible).

@Emad-R Am I understanding this correctly? Is this to prevent access to a site to anyone who doesn't have the cert installed in their browser? If so, do you think this can be restricted in scope to only a single page or set of pages? For example, a public site with some admin functions via a login page, could this be used to continue to allow public access to the public pages but used to restrict access to the login and admin pages to only those with the cert? I suppose I've have to use Nginx and this config only for those restricted pages and a different config for the public space (if that's even possible).

Hey Nash,
Correct, no one can see the site without installed the p12 file in their browser. Will get error page instead.

Well I dont use this to restrict pages persay, more like be front end for whole site, whole HTTP unsecure server. and nginx can be installed on the same machine or another and act as gateway for it.

Imagine good knowledge base article for company that resides in the Intranet, local machine in LAN using Apache/MySQL (Think Wordpress) and some people said it is good if they can access it remotely.

So my previous options was to use VPN or if the users are another site with static IP (rare and limited) you can create firewall rules, however using this new method I can just install nginx and setup TLS certificate authentication and provide users with p12 file and run nginx on https and make it a front end proxy for that KB site.

Now I needed to manually add the ca.crt file to "/etc/pki/tls/certs/ca-bundle.crt" (this took days of research)...
So copy the contents of "/etc/pki/nginx/ca.crt" and paste it at the end of "/etc/pki/tls/certs/ca-bundle.crt" Finally restart nginx

@Emad-R Am I understanding this correctly? Is this to prevent access to a site to anyone who doesn't have the cert installed in their browser? If so, do you think this can be restricted in scope to only a single page or set of pages? For example, a public site with some admin functions via a login page, could this be used to continue to allow public access to the public pages but used to restrict access to the login and admin pages to only those with the cert? I suppose I've have to use Nginx and this config only for those restricted pages and a different config for the public space (if that's even possible).

Hey Nash,
Correct, no one can see the site without installed the p12 file in their browser. Will get error page instead.

Well I dont use this to restrict pages persay, more like be front end for whole site, whole HTTP unsecure server. and nginx can be installed on the same machine or another and act as gateway for it.

Imagine good knowledge base article for company that resides in the Intranet, local machine in LAN using Apache/MySQL (Think Wordpress) and some people said it is good if they can access it remotely.

So my previous options was to use VPN or if the users are another site with static IP (rare and limited) you can create firewall rules, however using this new method I can just install nginx and setup TLS certificate authentication and provide users with p12 file and run nginx on https and make it a front end proxy for that KB site.

Unfortunately , while I did learn alot new stuff and ways. The original reason for learning this failed me.

What I did I install Fedora LXDE spin

Then installed ontop of that VNC on port 5901 made it run on local host

Then using No VNC and Websockify (is a WebSocket to TCP proxy/bridge. This allows a browser to connect to any application/server/service. Implementations in Python, C, Node.js and Ruby.) Which creates a neat HTML 5 interface for VNC service, I configured this to listen to 127.0.0.1:5901 and output to port 7777
so http://192.168.1.x:7777
allows me to connect to my machine.

It worked and installed on Fedora, and I can reach the noVNC connection dialog only after inserting the p12 key, however this lame login page:

with the host and port option, does not allow me to finish the connection, I tried many options but I am so confused with all the proxying that I rather drop it, I feel like If I do more effort I might open proxy to another dimension.

@Emad-R Am I understanding this correctly? Is this to prevent access to a site to anyone who doesn't have the cert installed in their browser? If so, do you think this can be restricted in scope to only a single page or set of pages? For example, a public site with some admin functions via a login page, could this be used to continue to allow public access to the public pages but used to restrict access to the login and admin pages to only those with the cert? I suppose I've have to use Nginx and this config only for those restricted pages and a different config for the public space (if that's even possible).

Hey Nash,
Correct, no one can see the site without installed the p12 file in their browser. Will get error page instead.

Well I dont use this to restrict pages persay, more like be front end for whole site, whole HTTP unsecure server. and nginx can be installed on the same machine or another and act as gateway for it.

Imagine good knowledge base article for company that resides in the Intranet, local machine in LAN using Apache/MySQL (Think Wordpress) and some people said it is good if they can access it remotely.

So my previous options was to use VPN or if the users are another site with static IP (rare and limited) you can create firewall rules, however using this new method I can just install nginx and setup TLS certificate authentication and provide users with p12 file and run nginx on https and make it a front end proxy for that KB site.

You will also now have to replace client certificates yearly.

But that is good security practice as well. I will know when this happens when they all complain the same time about site access no need to set reminder

Unfortunately , while I did learn alot new stuff and ways. The original reason for learning this failed me.

What I did I install Fedora LXDE spin

Then installed ontop of that VNC on port 5901 made it run on local host

Then using No VNC and Websockify (is a WebSocket to TCP proxy/bridge. This allows a browser to connect to any application/server/service. Implementations in Python, C, Node.js and Ruby.) Which creates a neat HTML 5 interface for VNC service, I configured this to listen to 127.0.0.1:5901 and output to port 7777
so http://192.168.1.x:7777
allows me to connect to my machine.

It worked and installed on Fedora, and I can reach the noVNC connection dialog only after inserting the p12 key, however this lame login page:

with the host and port option, does not allow me to finish the connection, I tried many options but I am so confused with all the proxying that I rather drop it, I feel like If I do more effort I might open proxy to another dimension.

I prefer using Guacamole for all my remote access needs but I think I'll definitely implement something like this to restrict access to my own staff.